b"OFFICE OF INSPECTOR GENERAL\n\n\n\nAUDIT OF USAID's\nIMPLEMENTATION OF KEY\nCOMPONENTS OF A PRIVACY\nPROGRAM FOR ITS\nINFORMATION TECHNOLOGY\nSYSTEMS\nAUDIT REPORT NO. A-000-06-003-P\nJune 8, 2006\n\n\n\n\nWASHINGTON, DC\n\n\x0cOffice of Inspector General\n\n\nJune 8, 2006\n\nMEMORANDUM\n\nTO:                 A-AA/M, Mosina Jordan\n                    AA/LPA, J. Edward Fox\n\nFROM:               AIG/A, Joseph Farinella /s/\n\nSUBJECT:            Audit of USAID's Implementation of Key Components of a Privacy Program for its\n                    Information Technology Systems (Report No. A-000-06-003-P)\n\nThis memorandum transmits our final report on the subject audit. We have considered your\ncomments on the draft report and have included your response (excluding the attachment) in its\nentirety in Appendix II.\n\nThis report contains nine recommendations to help USAID improve its privacy program over its\ninformation technology systems. Based on your response and the supporting documentation\nprovided, final action has been taken on Recommendation No. 1. In addition, management\ndecisions have been reached on Recommendation Nos. 2 through 8. Please notify the Bureau\nfor Management\xe2\x80\x99s Audit, Performance and Compliance Division when final action is completed.\n\nAgain, I want to express my sincere appreciation for the cooperation and courtesies extended to\nmy staff during this audit.\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\n\nSummary of Results......................................................................................................................1\n\n\nBackground....................................................................................................................................2\n\n\nAudit Objective.................................................................................................................................2\n\n\nAudit Findings................................................................................................................................3\n\n\n     USAID Did Not Implement Key Components of\n     a Privacy Program .....................................................................................................................3\n\n\nEvaluation of Management Comments.....................................................................................16\n\n\nAppendix I \xe2\x80\x93 Scope and Methodology......................................................................................17\n\n\nAppendix II \xe2\x80\x93 Management Comments .....................................................................................18\n\n\x0cSUMMARY OF RESULTS\n\nThe Information Technology and Special Audits Division of the Office of Inspector General in\nWashington, D.C. initiated this audit to address selected privacy reporting requirements outlined\nin the E-Government Act of 2002 and the Privacy Act of 1974. (See page 2.)\n\nOverall, this audit found that USAID did not implement key components of a privacy program for\nits information technology systems to mitigate the risk of violations against key information\ntechnology privacy requirements. Specifically, USAID did not have a:\n\n\xe2\x80\xa2\t     Privacy management structure, including:\n\n       o\t     A key privacy official with full authority over the Agency\xe2\x80\x99s privacy program, as\n              required.\n       o\t     Other privacy roles and corresponding responsibilities.\n\n\xe2\x80\xa2\t     Comprehensive set of privacy policies and procedures, including:\n\n       o\t     Privacy policies and procedures fully referenced to other requirements .\n       o\t     Procedures for privacy impact assessments.\n       o\t     Procedures for responding to privacy violations.\n\n\xe2\x80\xa2\t     Privacy training and awareness program.\n\n\xe2\x80\xa2\t     Process to monitor compliance with privacy requirements, including:\n\n       o\t     Updates to and creation of System of Records Notices.\n       o\t     Agency-funded websites. (See pages 3-13.)\n\nThese weaknesses occurred primarily because USAID officials did not consider privacy to be a\nhigh priority and, therefore, did not take actions to correct known weaknesses . (See\npages 13-14.) As a result, USAID did not always protect personally identifying information\nabout the public. (See page 13.)\n\nAs such, we are making nine recommendations to help USAID develop and implement a privacy\nprogram for its information technology systems. (See pages 6-15.)\n\nUSAID management agreed to take corrective action on all nine recommendations in the report.\nBased on your response and the supporting documentation provided, final action has been\ntaken on Recommendation No. 1. In addition, management decisions have been reached on\nRecommendation Nos. 2 through 8. (See page 16.)\n\n\n\n\n                                                                                               1\n\x0cBACKGROUND\n\nThe Privacy Act of 1974 was created in response to concerns about the collection and use of\npersonal information, which might impact an individual\xe2\x80\x99s privacy rights. The Privacy Act states\nthat each agency that maintains a system of records1 shall retain only such information about an\nindividual as is relevant and necessary to accomplish a purpose of the agency.\n\nIn addition, the E-Government Act of 2002 was signed by the President on December 17, 2002,\nand became effective on April 17, 2003. The privacy objective of the E-Government Act\ncomplements the National Strategy to Secure Cyberspace. As the National Strategy indicates,\nprivacy policies and practices in the federal agencies will ensure that information is handled in a\nmanner that maximizes privacy.\n\nSection 208 of the E-Government Act of 2002 requires that the Office of Management and\nBudget (OMB) issue guidance to agencies on implementing the privacy provisions of the\nE-Government Act. Accordingly, OMB issued Memorandum M-03-22, \xe2\x80\x9cOMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002,\xe2\x80\x9d dated September 26,\n2003. According to the Memorandum, federal agencies are required to, among other things:\n(1) conduct privacy impact assessments for electronic information systems and collections and,\nin general, make them publicly available and (2) post privacy policies on agency websites used\nby the public.\n\nIn order for an Agency to have a viable privacy program, there are several essential elements\nthat must be present: (1) a privacy management structure; (2) policies and procedures,\nincluding violation response; (3) awareness and training; and (4) monitoring compliance.\n\nAUDIT OBJECTIVE\nThis audit was initiated to address selected privacy reporting requirements outlined in the\nE-Government Act of 2002 and the Privacy Act of 1974. As such, this audit was added to the\nOffice of Inspector General\xe2\x80\x99s annual audit plan to answer the following question:\n\n       Did USAID implement key components of a privacy program for its\n       information technology systems to mitigate the risk of violations against\n       key information technology privacy requirements?\n\nFor this audit, \xe2\x80\x9ckey components\xe2\x80\x9d of a privacy program are (1) privacy management structure\n(including clear assignment of roles and responsibilities); (2) policies and procedures, including\nviolation response; (3) awareness and training; and (4) monitoring compliance.\n\nA description of our scope and methodology is contained in Appendix I.\n\n\n\n\n1\n  A system of records is a group of records that maintains personally identifying information about an\nindividual.\n\n\n                                                                                                     2\n\x0cAUDIT FINDINGS\n\nUSAID did not implement key components of a privacy program for its information technology\nsystems to mitigate the risk of violations against key information technology privacy\nrequirements.\n\nSpecifically, USAID did not have a:\n\n\xe2\x80\xa2\t       Privacy management structure, including:\n\n         o\t      A key privacy official with authority over the Agency\xe2\x80\x99s privacy program, as\n                 required.\n         o\t      Other privacy roles and corresponding responsibilities.\n\n\xe2\x80\xa2\t       Comprehensive set of privacy policies and procedures, including:\n\n         o\t      Privacy policies and procedures fully referenced to other requirements .\n         o\t      Procedures for privacy impact assessments.\n         o\t      Procedures for responding to privacy violations.\n\n\xe2\x80\xa2\t       Privacy training and awareness program.\n\n\xe2\x80\xa2\t       Process to monitor compliance with privacy requirements, including:\n\n         o\t      Updates to and creation of System of Records Notices.\n         o       Agency-funded websites.\n\nThe following section discusses this issue in detail.\n\n\nUSAID Did Not Implement Key\nComponents of a Privacy Program\n\n     Summary: USAID did not implement key components of a privacy program for its\n     information technology systems to mitigate the risk of violations against key\n     information technology privacy requirements. Specifically, USAID did not have a\n     (1) privacy management structure, (2) comprehensive set of privacy policies and\n     procedures, (3) privacy training and awareness program, and (4) process to\n     monitor compliance with privacy requirements. These weaknesses occurred\n     primarily because USAID officials did not consider privacy to be a high priority and,\n     therefore, did not take actions to correct known weaknesses. As a result, USAID\n     did not always protect personally identifying information about the public.\n\n\nThe following discusses the key components of a privacy program that USAID needs to implement\nfor its information technology systems.\n\n\n\n\n                                                                                             3\n\x0cUSAID Needs a Privacy Management Structure \xe2\x80\x93 According to the U.S. Government\nAccountability Office\xe2\x80\x99s (GAO) \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d one\nfactor affecting the control environment is the agency\xe2\x80\x99s organizational structure. Organizational\nstructure provides management\xe2\x80\x99s framework for (1) planning, (2) directing; and (3) controlling\noperations to achieve agency objectives. Thus, a strong internal control environment requires that\nthe agency\xe2\x80\x99s organizational structure clearly define key areas of authority and responsibility and\nestablish appropriate lines of reporting.\n\nHowever, as discussed in the following sections, USAID did not (1) appoint a key Agency\nprivacy official with authority over the Agency\xe2\x80\x99s privacy program, as required, and (2) assign\nother privacy roles and responsibilities. [See \xe2\x80\x9cCause of Problems Identified\xe2\x80\x9d section (pages 13\xc2\xad\n14) for a discussion of the reason USAID did not have a privacy management structure in\nplace.]\n\n       Key Agency Privacy Official Needed \xe2\x80\x93 Office of Management and Budget\nMemorandum (OMB) M-05-08, \xe2\x80\x9cDesignation of Senior Agency Officials for Privacy\xe2\x80\x9d\n(February 11, 2005) and section 522 of the Consolidated Appropriations Act of 2005 require\nAgencies to appoint a key Agency privacy official. However, although USAID designated a\nSenior Agency Official for Privacy (SAOP) and a Privacy Act Officer (PAO), neither was\ndelegated authority over the Agency\xe2\x80\x99s privacy program, as required. The following section\ndiscusses this issue in detail.\n\nExecutive Order 13353, Section 1 (August 27, 2004) was enacted to:\n\n       \xe2\x80\xa6protect the legal rights of all Americans, including freedoms, civil liberties, and\n       information privacy guaranteed by Federal law, in the effective performance of\n       national security and homeland security functions.\n\nOMB Memorandum M-05-08, implemented Executive Order 13353, Section 1.                    The\nMemorandum required each Agency to appoint a senior official who will have overall agency-\nwide responsibility for information privacy issues. According to the Memorandum, that\nappointee should be the Agency\xe2\x80\x99s Chief Information Officer or another senior official at the\nAssistant Secretary equivalent level. Further, the Memorandum states that:\n\n       \xe2\x80\xa6the senior agency official will have overall responsibility and accountability for\n       ensuring the agency\xe2\x80\x99s implementation of information privacy protections,\n       including the agency\xe2\x80\x99s full compliance with federal laws, regulations, and policies\n       relating to information privacy, such as the Privacy Act.\n\nIn addition, the Memorandum states that the Senior Agency Official for Privacy (SAOP) shall\nhave a central role in overseeing, coordinating, and facilitating the agency\xe2\x80\x99s compliance efforts.\n\nIn July 2005, USAID appointed a SAOP, who assumed overall responsibility for policy relating to\nAgency information privacy issues, including collection, use, sharing, and disclosure of personal\ninformation. However, the Agency did not give the SAOP authority to oversee USAID\xe2\x80\x99s privacy\nprogram as required by OMB Memorandum M-05-08. For example, USAID\xe2\x80\x99s SAOP was not\ngiven responsibility for:\n\n\xe2\x80\xa2\t     Reviewing the Agency\xe2\x80\x99s information privacy procedures.\n\xe2\x80\xa2\t     Identifying methods to use technology to reinforce and sustain the privacy of personal\n       information.\n\n\n                                                                                                4\n\x0c\xe2\x80\xa2\t     Ensuring privacy training and education for Agency employees and contractors.\n\xe2\x80\xa2\t     Conducting periodic reviews to promptly identify privacy deficiencies, weaknesses, or\n       risks.\n\nIn addition, although the SAOP was given responsibility for reviewing information privacy policy\nissues, the SAOP did not have overall authority to manage USAID\xe2\x80\x99s privacy program.\n\nAs a result of not being assigned all of the privacy roles and responsibilities identified in OMB\nMemorandum M-05-08, the SOAP could not enforce privacy requirements. For example, the\nSAOP developed privacy impact assessments (PIAs) for nine of USAID\xe2\x80\x99s critical systems which\ncollect personally identifying information. The PIAs were provided to the appropriate privacy\nofficial so that they could be processed and published in the Federal Register. However, the\nSAOP later learned that, due to other priorities, the PIAs were not processed for publication in\nthe Federal Register. Moreover, the SAOP did not have the authority to enforce the requirement\nto process and publish the PIAs because, as illustrated in Chart 1 below, he did not have a\ndirect line of authority to require other privacy officials, such as the Privacy Act Officer (PAO)\nand the official in charge of websites, to meet privacy requirements.\n\n\n                                    Chart 1. USAID\xe2\x80\x99s Privacy Related Offices\n\n\n\n                                  This organization chart illustrates the location of privacy\n                         officials within USAID. A/AID is at the top of hierarchy. Reporting\n                         directly to the A/AID is the CIO. Under the CIO is the SAOP and\n                         M/AS. The PAO reports directly to the M/AS. Also reporting to the\n                         A/AID is the AA/LPA. LPA/PIOPS (responsible for websites) reports to\n                         the AA/LPA.\n\n\n\n\n               Legend:\n               A/AID.................Office of the Administrator\n\n               AA/LPA..............Assistant Administrator, Bureau for Legislative and Public Affairs\n\n               AA/M..................Assistant Administrator, Bureau for Management\n\n               CIO....................Chief Information Officer\n\n               LPA/PIPOs........Bureau for Legislative and Public Affairs, Public Information, Production\n\n                                      and On-line Services Division\n               M/AS..................Bureau for Management, Administrative Services\n               PAO...................Privacy Act Officer\n               SAOP ................Senior Agency Official for Privacy\n\n\n\n\n                                                                                                             5\n\x0cIn addition, section 522 of the Consolidated Appropriations Act of 2005 requires that each\nagency have a Chief Privacy Officer (CPO) to assume primary responsibility for privacy and\ndata protection policy. As of the date of this report, OMB has not issued implementing guidance\nfor this Act.\n\nIn October 2005, USAID reported that the Agency had a CPO. However, it was later determined\nthat rather than a CPO, USAID had a Privacy Act Officer who was appointed in August 1994. That\nPrivacy Act Officer was responsible for:\n\n\xe2\x80\xa2\t     Authorizing Privacy Act requests for the Agency.\n\xe2\x80\xa2\t     Participating in the Agency\xe2\x80\x99s Privacy Working Group.\n\xe2\x80\xa2\t     Updating the Automated Directives System (ADS) Chapters (508 and 509).\n\nHowever, the above responsibilities do not encompass all of the responsibilities of a CPO identified\nin section 522 of the Consolidated Appropriation Act of 2005. For example, the Privacy Act Officer\ndid not have responsibility for:\n\n\xe2\x80\xa2\t     Assuring that personal information contained in Privacy Act systems of records is handled\n       in full compliance with fair information practices as defined in the Privacy Act of 1974.\n\n\xe2\x80\xa2\t     Conducting a privacy impact assessment of proposed rules of the Agency on the privacy of\n       information in an identifiable form, including the type of personally identifiable information\n       collected and the number of people affected.\n\n\xe2\x80\xa2\t     Training and educating employees on privacy and data protection policies to promote\n       awareness of and compliance with established privacy and data protection policies.\n\n\xe2\x80\xa2\t     Ensuring that the Agency protects information in an identifiable form from unauthorized\n       access, use, disclosure, disruption, modification, or destruction.\n\n\xe2\x80\xa2\t     Preparing a report to Congress on an annual basis on activities of the Agency that affect\n       privacy, including complaints of privacy violations, internal controls, and other relevant\n       matters.\n\nAs a result of not having a key Agency privacy official in place, USAID did not have an individual\nwith the authority to implement and enforce an Agency-wide privacy program. Moreover,\nUSAID did not have an individual that could be held accountable for ensuring that the Agency\nadequately protected privacy information about members of the public. Therefore, we are\nmaking the following recommendation.\n\n       Recommendation No. 1: We recommend that USAID\xe2\x80\x99s Assistant Administrator\n       for the Bureau for Management, in collaboration with the Assistant Administrator\n       for Legislative and Public Affairs, request that USAID\xe2\x80\x99s Administrator appoint a\n       senior-level, key Agency privacy official with full authority to develop and\n       implement USAID\xe2\x80\x99s privacy program .\n\n(Subsequent to the issuance of our draft report, we added the word \xe2\x80\x9cfull\xe2\x80\x9d to Recommendation\nNo. 1 to clarify the intent of the recommendation. USAID officials agreed with this change.)\n\n\n\n\n                                                                                                   6\n\x0c       Assignment of Other Privacy Roles and Responsibilities Needed - USAID\xe2\x80\x99s ADS 508,\n\xe2\x80\x9cPrivacy Act 1974,\xe2\x80\x9d assigns responsibility for the Agency to meet requirements of the Privacy Act of\n1974. Specifically, ADS 508 assigns roles and responsibilities to officials, including:\n\n\xe2\x80\xa2      Director, Office of Administrator Services.\n\xe2\x80\xa2      General Counsel, Ethics/Administration.\n\xe2\x80\xa2      Privacy Officer.\n\xe2\x80\xa2      Privacy Act Implementation Officer.\n\xe2\x80\xa2      Privacy Coordination Officer.\n\nHowever, according to the Privacy Act Officer, USAID\xe2\x80\x99s privacy roles were:\n\n\xe2\x80\xa2      Chief Information Officer.\n\xe2\x80\xa2      Privacy Act Officer.\n\xe2\x80\xa2      Chief Privacy Officer.\n\xe2\x80\xa2      Senior Official for Privacy.\n\xe2\x80\xa2      Privacy Advocate.\n\nFurther, in an October 2005 report2 to OMB, USAID\xe2\x80\x99s key privacy roles were identified as:\n\n\xe2\x80\xa2      Agency Head.\n\xe2\x80\xa2      Chief Information Officer.\n\xe2\x80\xa2      Agency Inspector General.\n\xe2\x80\xa2      Chief Information Security Officer.\n\xe2\x80\xa2      Senior Agency Official for Privacy.\n\xe2\x80\xa2      Chief Privacy Officer.\n\xe2\x80\xa2      Reviewing Official for privacy impact assessments.\n\nAs shown in the preceding paragraphs , USAID\xe2\x80\x99s privacy roles need to be clearly defined and\nupdated. Moreover, once the roles are defined, the corresponding responsibilities need to be\ndetermined. However, according to USAID officials, these updates were not made because\nadequate staff and resources were not available to carry out the privacy functions.\n\nAs a result of not clearly assigning roles and responsibilities, USAID can not fully implement an\nAgency-wide privacy program to protect personally identifying information about the public.\nTherefore, we are making the following recommendation.\n\n       Recommendation 2: We recommend USAID\xe2\x80\x99s key Agency privacy official clearly\n       assign privacy roles and define the corresponding responsibilities.\n\n\nUSAID Needs a Comprehensive Set of Privacy Policies and Procedures - According to GAO\xe2\x80\x99s\n\xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d management is responsible for\ndeveloping detailed policies, procedures, and practices to fit their agency\xe2\x80\x99s operations and to\nensure that they are built into an integral part of operations. Policies and procedures are control\nmechanisms that enforce management\xe2\x80\x99s directives to ensure that actions are taken to address\nrisks.\n\n2\n This information was reported in USAID\xe2\x80\x99s fiscal year 2005 Federal Information Security Management Act\nand Privacy Management Report.\n\n\n                                                                                                    7\n\x0cHowever, as discussed below, USAID did not have a comprehensive set of privacy policies and\nprocedures. Specifically, USAID\xe2\x80\x99s privacy policies and procedures were not fully referenced to\nother requirements . In addition, USAID did not have procedures for conducting privacy impact\nassessments and responding to privacy violations. [See \xe2\x80\x9cCause of Problems Identified\xe2\x80\x9d section\n(pages 13-14) for a discussion of the reason USAID did not have a comprehensive set of\nprivacy policies and procedures in place.]\n\n       Privacy Policies and Procedures Need to be Fully Referenced to Other\nRequirements \xe2\x80\x93 According to ADS 501, \xe2\x80\x9cThe Automated Directives System ,\xe2\x80\x9d mandatory\nreferences to the ADS comprise of external references as well as Agency guidance that must be\nadhered to. In addition, according to \xe2\x80\x9cThe ADS Process: A Mandatory Reference for ADS\nChapter 501,\xe2\x80\x9d such references must be cited in ADS chapters and will be hyperlinked.\n\nUSAID\xe2\x80\x99s privacy policies and procedures are described in various ADS chapters, interim updates,\nand Agency notices. However, the privacy policies and procedures were not fully referenced to\nindicate that other privacy policies exist.\n\nFor example:\n\n\xe2\x80\xa2\t     ADS 508, \xe2\x80\x9cPrivacy Act \xe2\x80\x93 1974,\xe2\x80\x9d section 508.5.6, states that USAID shall publish in the\n       Federal Register a description of each system of records that the Agency maintains. In\n       addition, ADS 509, \xe2\x80\x9cCreating, Altering, or Terminating a System of Records (Records\n       Pertaining to Individuals),\xe2\x80\x9d outlines the policies and essential procedures for the creation,\n       alteration, or termination of a System of Records that meets the requirements of the Privacy\n       Act. However, there were no references between the two chapters to indicate to the reader\n       that USAID had additional policies and procedures for Systems of Records.\n\n\xe2\x80\xa2\t     ADS 557, \xe2\x80\x9cPublic Information,\xe2\x80\x9d was established to, among other things, provide the policy\n       for Agency information distributed to the public, including via the Internet. In addition,\n       Interim Update 04-01, \xe2\x80\x9cUpdated Privacy Policy for USAID Information Technology\n       Systems, Including Publicly Accessible Web Sites,\xe2\x80\x9d was issued to alert USAID\n       employees and contractors of their responsibilities under the E-Government Act of 2002\n       for, among other things, designing and creating web pages and web sites. However,\n       although the Interim Update states that it is a mandatory reference to ADS 557, the\n       Interim Update was not referenced in ADS 557.\n\nAs such, because the policies were not fully referenced, readers could easily overlook other critical\naspects that were needed to meet privacy requirements. Although, on USAID\xe2\x80\x99s intranet, the ADS\nhome page referenced some of its privacy policies, we are making the following recommendation\nto assist USAID in referencing its privacy policies and procedures.\n\n       Recommendation No. 3: We recommend that USAID\xe2\x80\x99s key Agency privacy official\n       completely reference the Agency\xe2\x80\x99s privacy policies and procedures to other\n       requirements in the Automated Directives System.\n\n\n       Procedures for Privacy Impact Assessments Needed \xe2\x80\x93 OMB defined a privacy\nimpact assessment (PIA) as an analysis of how information is handled to (1) ensure handling\nconforms to applicable legal, regulatory, and policy requirements regarding privacy;\n\n\n\n                                                                                                   8\n\x0c(2) determine the risks and effects of collecting, maintaining and disseminating information in\nidentifiable form in an electronic information system; and (3) examine and evaluate protections\nand alternative processes for handling information to mitigate potential privacy risks.\n\nThe E-Government Act of 2002, requires Agencies to complete PIAs prior to (1) developing or\nprocuring information technology systems or projects that collect, maintain or disseminate\ninformation in identifiable form about an individual, or (2) initiating, consistent with the\nPaperwork Reduction Act, a new electronic collection of information in identifiable form for 10 or\nmore persons excluding agencies, instrumentalities or employees of the federal government.\nSpecifically, Agencies are required to:\n\n\xe2\x80\xa2\t     Conduct PIAs .\n\xe2\x80\xa2\t     Ensure the Chief Information Officer (or equivalent official) reviews the PIAs.\n\xe2\x80\xa2\t     Make the PIAs publicly available through the website of the agency, publication in the\n       Federal Register, or other means.\n\nIn addition, OMB Memorandum M-03-22, \xe2\x80\x9cOMB Guidance for Implementing the Privacy\nProvisions of the E-Government Act of 2002\xe2\x80\x9d (September 26, 2003) requires that PIAs be\nperformed and updated, as necessary, when a system change creates new privacy risks.\n\nUSAID has various policies that describe PIAs. Specifically:\n\n\xe2\x80\xa2\t     ADS 545.3.1.6, \xe2\x80\x9cSystem Development Life Cycle (SDLC) Planning,\xe2\x80\x9d makes the system\n       owner responsible for conducting PIAs.\n\xe2\x80\xa2\t     USAID\xe2\x80\x99s Interim Update 04-01, \xe2\x80\x9cUpdated Privacy Policy for USAID Information\n       Technology Systems, Including Publicly Accessible Web Sites\xe2\x80\x9d alerted USAID\n       employees and contractors who develop or manage information technology on behalf of\n       USAID of their responsibilities to perform PIAs as described in OMB M-03-22 (discussed\n       above).\n\xe2\x80\xa2\t     Mandatory references to ADS 577, \xe2\x80\x9cInformation Technology Capital Planning and\n       Investment Control,\xe2\x80\x9d require that, as part of the information technology investment\n       process, a determination be made as to whether a PIA has been conducted.\n\n(USAID also has a handbook that discusses some aspects of conducting PIAs, but the\nhandbook was not up-to-date and was not incorporated into official Agency policy and\nprocedures ). However, none of the aforementioned policies describe procedures to ensure\nPIAs are conducted when required. Specifically, the policies do not address:\n\n\xe2\x80\xa2\t      How the complete inventory of systems of records will be obtained and maintained.\n\xe2\x80\xa2\t      What collection of personal information (e.g., name, address, phone number, e-mail\n        address) maintained in a system necessitates the need for a PIA.\n\xe2\x80\xa2\t      Who within the Agency has overall responsibility for ensuring that PIAs are conducted\n        and made available to the public.\n\xe2\x80\xa2\t      Who within the Agency is responsible for reviewing and approving PIAs.\n\xe2\x80\xa2\t      Who the PIAs must be submitted to upon completion.\n\xe2\x80\xa2\t      What mechanism the Agency will use to make the PIAs available to the public.\n\nAs a result of the above deficiencies, USAID did not have a complete inventory of systems\nrequiring PIAs . Moreover, USAID could not assure that PIAs were conducted and made\navailable to the public, when required. This problem was particularly prevalent with respect to\n\n\n                                                                                                9\n\x0cAgency websites\xe2\x80\x94many of which collected personally identifying information from the public,\nsuch as names, addresses, phone numbers, and e-mail addresses. For example, one website\ncollected personal information from users who were ordering products. Another website\ncollected personal information from users who provided comments, suggestions or questions.\nYet another site collected personal information when the user created a new account for giving\nmonetary donations. Therefore, we are making the following recommendation.\n\n       Recommendation No. 4: We recommend USAID\xe2\x80\x99s key Agency privacy official\n       develop and implement Agency-wide procedures for performing privacy impact\n       assessments.\n\n\n        Privacy Violation Response Procedures Needed \xe2\x80\x93 According to GAO\xe2\x80\x99s \xe2\x80\x9cStandards\nfor Internal Control in the Federal Government,\xe2\x80\x9d internal controls deficiencies should be\ncommunicated to the individual responsible for the function and also to at least one level of\nmanagement above that individual. In addition, managers must take proper actions to ensure\ndeficiencies are promptly resolved. Further, serious deficiencies should be reported to top\nmanagement.\n\nHowever, USAID did not develop procedures for responding to privacy violations. For example,\nUSAID did not:\n\n\xe2\x80\xa2\t     Identify the offices (such as the Bureau for Legislative and Public Affairs, the Office of\n       General Counsel, Office of Inspector General, Office of Information Resources\n       Management, Office of Security, or Office of Human Resources) that should be\n       contacted when a violation is identified.\n\xe2\x80\xa2\t     Determine the roles and responsibilities of the various offices involved in responding to\n       privacy violations.\n\xe2\x80\xa2\t     Describe the type of information that should be reported.\n\xe2\x80\xa2\t     Determine how lessons learned will be communicated (e.g., via training) to prevent\n       future reoccurrences of similar privacy violations.\n\nFor example, two websites were identified that inappropriately tracked users. In response, the\nChief Information Officer\xe2\x80\x99s staff began to work with owners of the websites to correct the\nproblems. However, when the incidents were brought to the attention of an Legislative and\nPubic Affairs official, he thought that it was his office\xe2\x80\x99s responsibility to work with the owners of\nthe website to correct the problem. Subsequently, upon reviewing Interim Notice #34, \xe2\x80\x9cUSAID\xe2\x80\x99s\nDivision of Responsibilities for USAID External Web Site,\xe2\x80\x9d (July 12, 2000) that official agreed\nthat it was not clear who was responsible for working with the website owners to correct the\nproblems.\n\nWithout clear procedures for responding to privacy violations, USAID personnel were not\ninformed of what actions should be taken to communicate and correct privacy problems.\nMoreover, USAID did not have a clear mechanism in place to prevent future recurrences of\nsimilar problems. Therefore, we are making the following recommendation.\n\n\n\n\n                                                                                                  10\n\x0c          Recommendation No. 5: We recommend that USAID\xe2\x80\x99s key Agency privacy official\n          develop and implement procedures for responding to privacy violations. At a\n          minimum, the procedures should include:\n\n          \xe2\x80\xa2\t      Identifying the offices that should be contacted when a violation is\n                  identified.\n          \xe2\x80\xa2\t      Determining the roles and responsibilities of the various offices involved\n                  in responding to privacy violations.\n          \xe2\x80\xa2\t      Describing the type of information that should be reported.\n          \xe2\x80\xa2\t      Determining how lessons learned will be communicated to prevent future\n                  reoccurrences of similar privacy violations.\n\n(Subsequent to the issuance of our draft report, we added the second sentence to\nRecommendation No. 5 and the corresponding bullets to help ensure that USAID\xe2\x80\x99s planned\ncorrective actions would be responsive to the problems discussed in the report. USAID officials\nagreed with this change.)\n\n\nUSAID Needs a Privacy Training and Awareness Program - GAO Standards for Internal\nControl in the Federal Government requires that management ensure that its workforce\xe2\x80\x99s skills are\ncontinually assessed. Training should be aimed at developing and retaining employee skill levels\nto meet challenging organizational needs.\n\nHowever, USAID did not have a privacy training program in place. Specifically, although USAID\ndeveloped 16 privacy Tips of the Day3 for creating an awareness of privacy requirements to\nnetwork users, only two were approved by the Office of the General Counsel for distribution to\nUSAID employees. Moreover, those two tips were not distributed to all USAID personnel. As a\nresult of not having a privacy training and awareness program, USAID\xe2\x80\x99s employees did not comply\nwith requirements for protecting the privacy of the public. For example:\n\n\xe2\x80\xa2\t        PIAs were not always conducted on systems that collected personally identifying\n          information.\n\xe2\x80\xa2\t        System of Records Notices were not always published in the Federal Register.\n\xe2\x80\xa2\t        Websites did not always contain required privacy policy disclosures .\n\xe2\x80\xa2\t        Unapproved tracking mechanisms were identified on USAID websites.\n\nTherefore, the privacy of the public was not fully protected. [See \xe2\x80\x9cCause of Problems Identified\xe2\x80\x9d\nsection (pages 13-14) for a discussion of the reason USAID did not have a privacy training and\nawareness program in place.] As such, we are making the following recommendation.\n\n          Recommendation No. 6: We recommend that USAID\xe2\x80\x99s key Agency privacy official\n          develop and implement an Agency-wide privacy training program.\n\nUSAID Needs a Process to Monitor Compliance With Privacy Requirements - GAO\nStandards for Internal Control in the Federal Government states that ongoing monitoring of\ninternal controls should occur in the course of normal operations and should be built into the\nagency\xe2\x80\x99s operations. It also states that monitoring of internal control should include policies and\nprocedures for ensuring that problems identified are promptly corrected.\n\n3\n    Tips of the Day provide daily computer security reminders to USAID network users.\n\n\n                                                                                                11\n\x0cHowever, as discussed below, USAID needs to develop and implement a process to ensure\nongoing monitoring of its privacy program. [See \xe2\x80\x9cCause of Problems Identified\xe2\x80\x9d section (pages\n13-14) for a discussion of the reason USAID did not have a process in place to monitor\ncompliance with privacy requirements.]\n\n       Monitoring Updates and Creation of System of Records Notices \xe2\x80\x93 According to the\nPrivacy Act of 1974, each Agency that maintains a system of records must publish notification in\nthe Federal Register upon establishment of the system. In addition, the notice must be revised\nwhen the system is modified.\n\nIn addition, ADS 509, \xe2\x80\x9cCreating, Altering, or Terminating a System of Records (Records Pertaining\nto Individuals),\xe2\x80\x9d outlines the policies and essential procedures for the creation, alteration, or\ntermination of a System of Records that meets the requirements of the Privacy Act.\n\nHowever, USAID did not follow its procedures to update its System of Records Notices\n(SORNs), when required. As such, the SORNs, dated March 31, 1980, were not updated to\nreflect the Agency\xe2\x80\x99s current systems of records. For example, the SORNs currently published in\nthe Federal Register, state that several of the systems of records are located in offices that\nUSAID no longer occupies in Virginia and Washington, D.C. However, the required updates to\nthe records were not made and published in the Federal Register. In addition, USAID recently\nconducted PIAs for nine systems of records, but did not prepare and publish SORNs in the\nFederal Register.\n\nAs a result of not monitoring the updating and publishing of SORNs, the public was not made\naware of the types of personally identifying information that USAID maintained. Therefore, we are\nmaking the following recommendation.\n\n       Recommendation No. 7: We recommend that USAID\xe2\x80\x99s key Agency privacy official\n       develop and implement a process to monitor the timely preparation and publishing\n       of System of Records Notices in the Federal Register.\n\n        Monitoring of Websites \xe2\x80\x93 ADS 557, \xe2\x80\x9cPublic Information,\xe2\x80\x9d (July 25, 2000) provides\nUSAID\xe2\x80\x99s policy for, among other things, Agency information distributed to the public. According\nto that policy, USAID\xe2\x80\x99s Bureau for Legislative and Public Affairs is responsible for reviewing\nAgency produced or funded materials available to the public on the Internet. The policy also\nstates that USAID Bureaus, Offices, and officers are responsible for submitting Agency-funded\nor produced material for review prior to posting it to the Internet.\n\nIn July 2002, USAID issued an interim update No. 34 to ADS 557 \xe2\x80\x9cDivision of Responsibilities\nfor USAID External Web Site.\xe2\x80\x9d That interim update was issued to restate the division of\nresponsibility for the USAID external web site and to amplify the matters in ADS 557. However,\nthe interim update discusses only USAID\xe2\x80\x99s external web site (i.e., www.usaid.gov), as opposed\nto all USAID-funded websites as discussed in ADS 557.\n\nAs such, USAID performed extensive monitoring to ensure that information posted on USAID\xe2\x80\x99s\nexternal web site met requirements. For example, USAID performed (1) content and technical\nreviews, including the privacy policy, before pages were added to the website and (2) periodic\nscans to determine whether unauthorized persistent mechanisms were placed on the site.\n\n\n\n                                                                                              12\n\x0cIn contrast, USAID only recently began to perform limited monitoring for other Agency-funded\nwebsites. Specifically, after this audit began, USAID took initial steps to start scanning other\nAgency-funded websites for inappropriate tracking mechanisms. However, USAID did not\nmonitor the content of those websites, such as the privacy policies. According to a Bureau for\nLegislative and Public Affairs official, USAID would need additional staff and funding to monitor\nall of the Agency-funded websites.\n\nAs a result, privacy problems were prevalent on other Agency-funded websites. For example,\nof the 13 websites selected for review:\n\n\xe2\x80\xa2\t     Three (23 percent) did not have the privacy policy posted on the website to inform the\n       user of the nature, purpose, use and sharing of personally identifying information that is\n       collected by the Agency. Moreover, seven of the websites (54 percent) with privacy\n       policies posted did not make most of the disclosures required by OMB Memorandum M\xc2\xad\n       03-22\xe2\x80\x9d OMB Guidance for Implementing the Privacy Provisions of the E-Government Act\n       of 2002\xe2\x80\x9d (September 26, 2003). Such disclosures not made included notifying visitors of\n       their privacy rights and what personally identifying information is collected. However, the\n       privacy policy posted on USAID\xe2\x80\x99s external website made most of the required\n       disclosures.\n\n\xe2\x80\xa2\t     Two (15 percent) placed unapproved tracking mechanisms on the user\xe2\x80\x99s computer. In\n       addition, eight (62 percent) websites left the USAID-funded website\xe2\x80\x94without a\n       warning\xe2\x80\x94and launched other websites that placed tracking mechanisms on the user\xe2\x80\x99s\n       computer. However, no problems were identified with USAID\xe2\x80\x99s external website.\n\n\xe2\x80\xa2\t     Twelve (92 percent) of the websites were not on the .gov domain as required by\n       USAID\xe2\x80\x99s November 28, 2005, Policy Notice, \xe2\x80\x9cUSAID Websites and .gov Domains.\xe2\x80\x9d\n       According to OMB M-05-04 \xe2\x80\x9cPolicies for Federal Agency Public Websites, \xe2\x80\x9c December\n       17, 2004, hosting the websites on the .gov domain provides the public clear,\n       unambiguous notification of the Agency\xe2\x80\x99s sponsorship of the website. By not hosting the\n       websites on the .gov domain, members of the public were not assured that the\n       websites\xe2\x80\x94most of which collected personally identifying information\xe2\x80\x94were official\n       Agency websites.\n\nAs such, the privacy of public users was sometimes invaded when using other Agency-funded\nwebsites. Moreover, such site users were not always made aware of how such personally\nidentifying information would be used, if collected.\n\nAlthough USAID has begun to take some actions to monitor other Agency-funded websites, we\nare making the following recommendation to help the Agency ensure the protection of the\npublic\xe2\x80\x99s privacy when using Agency-funded websites.\n\n       Recommendation No. 8: We recommend that USAID\xe2\x80\x99s key Agency privacy\n       official establish a process to monitor Agency-funded websites to ensure the\n       privacy of website users is protected.\n\n\nCause of Problems Identified \xe2\x80\x93 USAID management was aware of the weaknesses in its\nprivacy program. However, as discussed below, corrective action was not taken because\nprivacy was not considered a priority for the Agency.\n\n\n\n                                                                                               13\n\x0cIn the past few years, several reports and reviews have been conducted that identified\nweakness in USAID\xe2\x80\x99s privacy program. For example, in December 2001, a USAID contractor\nreported on its evaluation of gaps in USAID\xe2\x80\x99s systems of records and privacy program. That\nreport determined that, USAID\xe2\x80\x99s:\n\n\xe2\x80\xa2\t     Infrastructure for complying with privacy requirements was immature.\n\xe2\x80\xa2\t     Implementation and operations of the privacy policies was inconsistent.\n\xe2\x80\xa2\t     Approach to privacy needed to be customer-oriented, such as by providing training and\n       awareness.\n\nAs such, the report made several recommendations for USAID to improve on areas of the\nprivacy program, including the responsibility and organization, training, accountability, policy,\nand compliance. Additionally, the report made numerous recommendations to address specific\nnon-compliance issues, such as with deficiencies in system of record notices.\n\nIn addition, on September 11, 2002, the Office of Inspector General issued \xe2\x80\x9cRisk Assessment of\nMajor Functions Within the Information and Records Division of the Office of Administrative\nServices, Bureau for Management\xe2\x80\x9d (Report No. A-000-02-003-S). That report concluded that\nsome ADS chapters were outdated and the Agency\xe2\x80\x99s system of record notices needed to be\nupdated. Therefore, the report suggested that the Office of Administrative Services institute\nimprovements regarding the ADS chapters and the inventory of systems of records. USAID\nmanagement agreed with the suggested course of actions for the ADS chapter. However, for\nthe systems of records notices, USAID management responded that there were not enough\nmanpower resources to correct this inadequacy.\n\nIn addition, although USAID management was aware of the weaknesses in its privacy program,\ncorrecting the weaknesses was not a USAID priority. For example, USAID\xe2\x80\x99s prior Senior\nAgency Official for Privacy developed a privacy upgrade Action Plan, dated March 1, 2001.\nThat action plan identified some of the same problems identified in this audit, such as the need\nto (1) clarify privacy roles and responsibilities, (2) implement a privacy training and outreach\nprogram, and (3) document an integrated privacy policy for the Agency. However, according to\nUSAID management, staffing and funding limitations precluded the Agency\xe2\x80\x99s ability to\nimplement a privacy program.\n\nNonetheless, in recent years, Congress, OMB, and private interest groups have directed an\nincreased focus on privacy issues. For example, Section 522 of the 2005 Consolidated\nAppropriations Act requires the Inspector General to conduct an annual review of agency\nprivacy practices.\n\nTherefore, we believe it is imperative that USAID managers continue to better prioritize the\nworkload and mandatory tasks. Specifically, USAID needs to implement an Agency-wide\nprivacy program to meet the mandated requirements to protect the privacy of the public and,\nthus, protect the Agency\xe2\x80\x99s reputation. Due to the extensive weaknesses identified in USAID\xe2\x80\x99s\nprivacy program, Agency officials need to make privacy a priority by promptly taking corrective\nactions to address the recommendations made in this audit report. Thus, USAID should\nrecognize its privacy program as a reportable condition to be internally tracked and monitored\nuntil the weaknesses are corrected.\n\n\n\n\n                                                                                              14\n\x0cRecommendation No. 9: We recommend that USAID\xe2\x80\x99s key Agency privacy\nofficial request that the Management Control Review Committee review the\nAgency\xe2\x80\x99s privacy program and consider reporting, tracking, and monitoring its\nweaknesses as a reportable condition for the Agency.\n\n\n\n\n                                                                                15\n\x0cEVALUATION OF MANAGEMENT\nCOMMENTS\nUSAID management agreed to take corrective action on all nine recommendations in the report.\nFor Recommendation Nos. 2, 3, 4, 5, 6, 7, 8, and 9, USAID management provided corrective\naction plans and target completion dates. Therefore, we consider that management decisions\nhave been reached for the above recommendations. In addition, based on the response and\nsupporting documentation provided, final action has been taken on Recommendation No. 1\nupon issuance of this report. Specifically, we recommended that Agency officials request\nUSAID\xe2\x80\x99s Administrator to appoint a senior-level, key Agency privacy official with full authority to\ndevelop and implement USAID\xe2\x80\x99s privacy program. In response, Agency officials requested that\nUSAID\xe2\x80\x99s Administrator appoint a Chief Privacy Officer to assume primary responsibility for\nestablishing the Agency\xe2\x80\x99s privacy program in accordance with privacy laws and regulations.\n\nAside from addressing the recommendations, USAID management stated that the discussion\nabout the use of non-.gov domains for Agency funded websites (before recommendation no. 8),\nis not relevant to the privacy of information technology systems. However, we believe that\nmaintaining websites on the .gov domain as required provides a level of assurance to users that\nthe site is an official USAID website\xe2\x80\x94especially if the user chooses to provide personally\nidentifying information. Although we did not remove this discussion from the audit report, we\nreferenced OMB M-05-04, \xe2\x80\x9cPolicies for Federal Agency Public Websites, \xe2\x80\x9c December 17, 2004,\nwhich states that hosting the websites on the .gov domain provides the public clear,\nunambiguous notification of the Agency\xe2\x80\x99s sponsorship of the website.\n\nThe complete text of USAID\xe2\x80\x99s management comments is included in Appendix II.\n\n\n\n\n                                                                                                16\n\x0c                                                                                     APPENDIX I\n\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General, Information Technology and Special Audits Division conducted\nthis audit in accordance with generally accepted government auditing standards. The purpose\nof the audit was to determine whether USAID implemented key components of a privacy\nprogram. Audit fieldwork was conducted at USAID headquarters in Washington, D.C., from\nDecember 6, 2005 through April 5, 2006.\n\nThe audit included a follow up on prior audit recommendations contained in Report\nNo. A-00-01-001-P, \xe2\x80\x9cAudit of USAID\xe2\x80\x99s Compliance with Internet Privacy Policies,\xe2\x80\x9d dated May 14,\n2001).\n\nIn addition, we tested the following internal controls in USAID\xe2\x80\x99s privacy program:\n\n\xe2\x80\xa2      Privacy management structure.\n\n\xe2\x80\xa2      Policies and procedures, including violation response.\n\n\xe2\x80\xa2      Awareness and training.\n\n\xe2\x80\xa2      Monitoring compliance.\n\nMethodology\nTo determine if USAID implemented key components of a privacy program we obtained and\nreviewed the following laws and regulations: E-Government Act of 2002; The Privacy Act of\n1974; and the Office of Management and Budget Memorandum M-03-22, \xe2\x80\x9cOMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002,\xe2\x80\x9d dated September 26,\n2003.\n\nIn addition, we conducted interviews with key USAID privacy personnel in the Bureau for\nManagement, Office of Administrative Services; Office of the Chief Information Officer; Bureau\nof Legislative and Public Affairs; and Office of General Counsel. However, we did not interview\nor evaluate Privacy Liaison Officers at USAID Missions.\n\nWe asserted the necessary components of a privacy program are (1) privacy management\nstructure (including clear assignment of roles and responsibilities), (2) policies and procedures\n(including violation response), (3) awareness and training, and (4) monitoring compliance. For\neach component, we obtained and reviewed USAID documents including, but not limited to:\n(1) privacy impact assessments, (2) Privacy Tips of the Day, (3) System of Records Inventory,\n(4) System of Records Notices, and (5) USAID\xe2\x80\x99s privacy policies and procedures.\n\nFinally, although USAID\xe2\x80\x99s universe of websites was incomplete, we selected a judgmental\nsample of 13 USAID funded-websites that contained USAID\xe2\x80\x99s logo and were updated as of\nSeptember 1, 2005, and tested compliance with privacy policy disclosures and use of tracking\nmechanisms.\n\n\n                                                                                          17\n\n\x0c                                                                                  APPENDIX II\n\n\n\n\n\nMANAGEMENT COMMENTS\n\n\n\n\n                                                                                May 23, 2006\n\nMEMORANDUM\n\nTO: \t         IG/A/ITSA, Melinda A. Dempsey\n\nFROM:\t        C/AID, Mosina Jordan \xe2\x80\x9c/s/\xe2\x80\x9d\n              AA/LPA, J. Edward Fox \xe2\x80\x9c/s/\xe2\x80\x9d\n\nSUBJECT:\t     Management Response to the OIG Draft Report on the Audit of USAID's\n              Implementation of Key Components of a Privacy Program for its Information\n              Technology Systems (Report No. A-000-06-00X-P)\n\nThank you for the opportunity to respond to the draft audit report. This memorandum\ncontains the management decisions for the Draft Audit of USAID\xe2\x80\x99s Implementation of\nKey Components of a Privacy Program for its Information Technology Systems.\n\nThere is one issue outside the recommendations that we would like to bring to your\nattention for consideration. This issue is described at the end of management\xe2\x80\x99s\nresponses to the recommendations. Management would appreciate if the audit team\ncould consider this issue and make appropriate changes while finalizing its audit report.\n\nThe following are our management decisions and corrective actions regarding the\nproposed audit recommendations:\n\nRecommendation No. 1: We recommend that USAID\xe2\x80\x99s Assistant Administrator for the Bureau\nfor Management, in collaboration with the Assistant Administrator for Legislative and Public\nAffairs, request that USAID\xe2\x80\x99s Administrator appoint a senior-level, key Agency privacy official\nwith full authority to develop and implement USAID\xe2\x80\x99s privacy program.\n\nManagement Response: An Action Memorandum to the Administrator, was sent from Mosina\nJordan and Edward Fox, the Bureaus for Management and Legislative and Public Affairs\nrequesting the Administrator\xe2\x80\x99s appointment of a Chief Privacy Officer (CPO).\n\nWe request closure of Recommendation One upon issuance of the final audit report. A copy of\nthe executed Memoranda is attached.\n\n\n\n                                                                                         18\n\x0cRecommendation 2: We recommend USAID\xe2\x80\x99s key Agency privacy official clearly assign\nprivacy roles and define the corresponding responsibilities.\n\nManagement Response : The USAID CPO will issue a new ADS Chapter, USAID Privacy\nProgram, to assign the Agency\xe2\x80\x99s privacy roles and define corresponding responsibilities.\n(October 2006)\n\nRecommendation No. 3: We recommend that USAID\xe2\x80\x99s key Agency privacy official completely\nreference the Agency\xe2\x80\x99s privacy policies and procedures to other requirements in the Automated\nDirectives System.\n\nManagement Response: The new ADS Chapter, USAID Privacy Program, will reference\nUSAID privacy-related policies and procedures in the Automated Directives System (ADS), as\nwell as OMB privacy policy directives. (October 2006)\n\nRecommendation No. 4: We recommend USAID\xe2\x80\x99s key Agency privacy official develop and\nimplement Agency-wide procedures for performing privacy impact assessments.\n\nManagement Response : The USAID CPO will develop formal procedures for performing\nprivacy impact assessments as supporting documentation to the new ADS Chapter on Privacy.\nThe existing draft Privacy Impact Assessment (PIA) template used for PIAs will be incorporated\nas part of this procedure document. (October 2006)\n\nRecommendation No. 5: We recommend that USAID\xe2\x80\x99s key Agency privacy official develop and\nimplement procedures for responding to privacy violations. At a minimum, the procedures will\ninclude:\n\n   \xe2\x80\xa2\t Identifying offices that must be contacted when a violation is identified;\n   \xe2\x80\xa2\t Determining the roles and responsibilities of the offices involved in responding to privacy\n      violations;\n   \xe2\x80\xa2\t Describing the type of information that should be reported; and\n   \xe2\x80\xa2\t Determining how lessons learned will be communicated to prevent future reoccurrences\n      of similar privacy violations.\n\nManagement Response : The USAID CPO will develop a supporting document to the new\nADS Chapter on Privacy that defines procedures for responding to privacy violations. (October\n2006). At a minimum, the procedures will include:\n\n   \xe2\x80\xa2\t Identifying offices that must be contacted when a violation is identified;\n   \xe2\x80\xa2\t Determining the roles and responsibilities of the offices involved in responding to privacy\n      violations;\n   \xe2\x80\xa2\t Describing the type of information that should be reported; and\n   \xe2\x80\xa2\t Determining how lessons learned will be communicated to prevent future reoccurrences\n      of similar privacy violations.\n\nRecommendation No. 6: We recommend that USAID\xe2\x80\x99s key Agency privacy official develop and\nimplement an Agency-wide privacy training program.\n\nManagement Response: The USAID CPO will develop an Agency-wide privacy training\nprogram. Current implementation of the security awareness training includes elements of the\n\n\n                                                                                              19\n\x0cprivacy program. This will be more fully expanded. (October 2006)\n\nRecommendation No. 7: We recommend that USAID\xe2\x80\x99s key Agency privacy official develop and\nimplement a process to monitor the timely preparation and publishing of System of Records\nNotices in the Federal Register.\n\nManagement Response: The USAID CPO will develop a process to monitor the timely\npreparation and publishing of System of Records Notices in the Federal Register. The process will\nbe defined in the new ADS Chapter on Privacy. (October 2006)\n\nRecommendation No. 8: We recommend that USAID\xe2\x80\x99s key Agency privacy official establish a\nprocess to monitor Agency-funded websites to ensure the privacy of website users is protected.\n\nManagement Response : The USAID CPO, in coordination with the review process outlined in\nADS 557, will establish a process to monitor Agency-funded websites, ensuring privacy protection\nof website users. (October 2006)\n\nRecommendation No. 9: We recommend that USAID\xe2\x80\x99s key Agency privacy official request\nthat the Management Control Review Committee (MCRC) review the Agency\xe2\x80\x99s privacy program\nand consider reporting, tracking, and monitoring its weaknesses as a reportable condition for\nthe Agency.\n\nManagement Response : The USAID CPO will report progress on the recommendations in this\nreport to the MCRC for review before their next meeting. The CPO\xe2\x80\x99s report will permit MCRC to\ntrack, monitor and determine whether progress of USAID\xe2\x80\x99s privacy program in resolving\nweaknesses is a reportable condition. (September 2006)\n\nIssue for Consideration Outside Recommendations: Management notes that in the\ndiscussion before recommendation 8, the audit team discusses USAID-financed websites on\nnon-.gov domains. We do not view this discussion\xe2\x80\x94in the context of privacy issues\xe2\x80\x94as\nrelevant to the topic of privacy of information technology systems. The Office of Management\nand Budget, in OMB Memorandum 05-04, frames the .gov issue in the terms of information\nquality and information assurance\xe2\x80\x94not in terms of privacy. Residing on a .gov domain has no\nimpact on one way or the other on the privacy of an information technology system user.\nManagement requests that this discussion be removed from the draft report as not relevant to\nthe immediate decision.\n\n\n\n\n                                                                                              20\n\x0cU.S. Agency for International Development\n          Office of Inspector General\n          1300 Pennsylvania Ave, NW\n\n             Washington, DC 20523\n\n              Tel: (202) 712-1150\n\n              Fax: (202) 216-3047\n\n              www.usaid.gov/oig\n\x0c"